Key Components of Healthcare Data Security
In 2018, the Department of Health and Human Services (HHS) released guidance for how organizations can improve their healthcare data security. This was meant to provide a framework that healthcare organizations can use to ensure their PHI is secure.
Organizations working with PHI should implement the following cybersecurity practices:
- Risk management
- Configuration management
- Vulnerability management
- Access management
- Asset management
- Audit logging and monitoring
- Incident management and response
- Disaster recovery and business continuity
- Network protection
- Endpoint protection and detection
- Data protection tools/technology
- Third-party assurance
- Password management
- Wireless protection and detection
- Transmission protection
- Mobile device management
- Physical and environmental security
- Employee training and awareness
Implementing all of the recommended cybersecurity practices can be difficult if you don’t have a dedicated IT staff. Organizations that do have an IT staff should appoint a chief information security officer (CISO). Small to mid sized organizations may not be able to hire a CISO due to budget constraints, and as such should consult a managed security service provider (MSSP) to implement the recommended cybersecurity practices.
How to Instill a Culture of Healthcare Data Security
Now that you are aware of what you need to implement, we will discuss how you can implement the cybersecurity recommendations.
Control Access to PHI
A key component of healthcare data security is controlling who has access to your data. HIPAA requires you to implement access management in line with the minimum necessary standard. This standard mandates that employees and business associates should only have access to the PHI that they require to perform their job functions.
To implement access management, each employee must have unique login credentials to access PHI. This enables you to provide different access levels to data based on the employee’s job role.
Track Access to Data
To ensure adherence to the minimum necessary standard, and to enable breach detection, you must track data access. Keeping an audit log allows you to establish regular PHI access patterns for each employee. This is the key to detecting both external and internal breaches – when data is being accessed outside the norm.
You can’t expect employees to adhere to HIPAA standards if they are not aware of what they are. This is why employees must be trained annually on HIPAA basics, cybersecurity best practices, and your organization’s policies and procedures. Employee training must be documented, and employees should have a means of communicating when they do not understand the training material.
Encryption converts sensitive data into a code that can only be read with a decryption key. This prevents unauthorized users from viewing the data, making encryption an important part of healthcare data security. End-to end encryption is the most secure method of protecting data, as it protects data at rest (data being stored on your network) and data in transit (data being sent to an external entity).
Secure Mobile Devices
When allowing employees to connect to your network with their personal mobile devices, or company issued mobile devices, you must ensure that the mobile device is secure. This requires several measures to be implemented, including:
- Managing all devices, settings, and configurations
- Requiring the use of strong passwords
- Enabling the remote wipe and lock features so that data on lost or stolen devices cannot be accessed by unauthorized users
- Encrypting application data
- Monitoring email accounts and attachments
- Training employees on mobile device cybersecurity best practices
- Implementing guidelines or whitelisting policies to prevent risky apps from being installed on devices
- Requiring employees to keep their device’s software updated
- Requiring security software to be installed on mobile devices
Manage Devices Connected to Your Network
Mobile devices, laptops, and tablets are not the only devices that connect to a healthcare organization’s network. There are several medical devices that also require internet access. To prevent these devices from risking your healthcare data security, you should:
- Connect medical devices to their own separate network
- Monitor device networks with audit logs
- Disable non-essential services on devices before using them
- Implement multi-factor authentication
- Install software patches to keep all devices up-to-date
Your PHI data, as well as your business critical data, should always be